MGT514: Security Strategic Planning, Policy, and Leadership

This training sets the stage for executive level success. If you are interested in ever becoming a CISO, this course is a must.

Karl Hellman, Defense Security Services

I moved into management a few years ago and am currently working on a new security strategy/roadmap and this class just condensed the past two months of my life into a one week course and I still learned a lot!

Travis Evans, SiriusXM

As security professionals we have seen the landscape change. Cybersecurity is now more vital and relevant to the growth of your organization than ever before. As a result, information security teams have more visibility, more budget, and more opportunity. However, with this increased responsibility comes more scrutiny.

This course gives you tools to become a security business leader who can build and execute strategic plans that resonate with other business executives, create effective information security policy, and develop management and leadership skills to better lead, inspire, and motivate your teams.

Develop Strategic Plans

Strategic planning is hard for IT and IT security professionals because we spend so much time responding and reacting. We almost never do strategic planning until we get promoted to a senior position, and then we are not equipped with the skills we need to run with the pack. MGT514 will teach you how to develop strategic plans that resonate with other IT and business leaders.

Create Effective Information Security Policy

Policy is a manager's opportunity to express expectations for the workforce, set the boundaries of acceptable behavior, and empower people to do what they ought to be doing. It is easy to get wrong. Have you ever seen a policy and responded by saying "No way, I am not going to do that"? Most of us have. Policy must be aligned with an organization's culture. In MGT514, we break down the steps to policy development so that you have the ability to design and assess policies that can successfully guide your organization.

Develop Management and Leadership Skills

Leadership is a skill that must be learned, exercised, and developed to better ensure organizational success. Strong leadership is brought about primarily through selfless devotion to the organization and staff, tireless effort in setting the example, and having the vision to see and effectively use available resources toward the end goal.

Effective leadership entails persuading team members to accomplish their objectives, removing the obstacles preventing them from doing it, and maintaining the well-being of the team in support of the organization's mission. MGT514 will teach you to use management tools and frameworks to better lead, inspire, and motivate your teams.

MGT514 uses case studies from Harvard Business School, case scenarios, team-based exercises, and discussions that put students in real-world situations. You will be able to use these same activities with your own team members at work.

The next generation of security leadership must bridge the gap between security staff and senior leadership by strategically planning how to build and run effective security programs. After taking this course you will have the fundamental skills to create strategic plans that protect your company, enable key innovations, and facilitate working effectively with your business partners.

Course Syllabus

MGT514.1: Strategic Planning Foundations

Overview

Creating security-strategic plans requires a fundamental understanding of the business, and a deep understanding of the threat landscape.

CPE/CMU Credits: 6

Topics

Vision and Mission Statements

What they tell you about the organization

Developing a security team mission statement that aligns with organizational goals

Stakeholder Management

Learn to identify, understand, and manage stakeholders in order to make the security team more successful

PEST Analysis

Identify market forces that drive the business in order to better understand business goals

Porter's Five Forces

Understand how business leaders develop strategy

Apply this analysis to security vendors so you can make more informed purchase decisions

Threat Actors

Understand attacker motivations and techniques

Review real-word attack scenarios

Asset Analysis

Understand assets that are most valuable to the business and are of interest to attackers

Threat Analysis

Learn how the intrusion kill chain and threat intelligence can inform strategic planning

MGT514.2: Strategic Roadmap Development

Overview

With a firm understanding of the drivers of business and the threats facing the organization, you will develop a plan to analyze the current situation, identify the target state, perform gap analysis, and develop a prioritized roadmap. In other words, you will be able to determine (1) what you do today (2) what you should be doing in the future (3) what you don't want to do, and (4) what you should do first. Once this plan is in place, you will learn how to build and execute it by developing a business case, defining metrics for success, and effectively marketing your security program.

CPE/CMU Credits: 6

Topics

Historical Analysis

Analyze the past in order to understand the probable future

Values and Culture

Understand the values and culture of your organization in order to align security with the corporate culture and define acceptable working norms

SWOT Analysis

Understand current Strengths, Weaknesses, Opportunities, and Threats

Vision and Innovation

Sustaining versus disruptive innovation

Jobs To Be Done Theory

Learning to innovate with the business

How to provide value to stakeholders

Security Framework

NIST Cybersecurity Framework

Measuring maturity

Gap Analysis

Identifying what needs to be done

Roadmap Development

Identifying what should be done first

Business Case Development

Approaches to obtaining funding

Metrics and Dashboards

Developing effective metrics

Marketing and Executive Communications

Promoting the work of the security team

MGT514.3: Security Policy Development and Assessment

Overview

Policy is one of the key tools that security leaders have to influence and guide the organization. Security managers must understand how to review, write, assess, and support security policy and procedures. Using an instructional delivery methodology that balances lecture, exercises, and in-class discussion, this course section will teach the techniques to create successful policy that employees will read and follow, and that will be accepted by business units.

Students will learn key elements of policy, including positive and negative tone, consistency of policy bullets, how to balance the level of specificity to the problem at hand, the role of policy, awareness and training, and the SMART approach to policy development and assessment.

CPE/CMU Credits: 6

Topics

Purpose of Policy

Role of policy

Establishing acceptable bounds for behavior

Empowering employees to do the right thing

How policy protects people, organizations, and information

Relationship of mission statement to policy

Policy Gap Analysis

Policy versus procedure

Policy needs assessment

Policy Development

Governing policy

Issue-specific policy

Positive and negative tone

Policy Review

Using the SMART approach

Policy review and assessment process

Awareness and Training

Role of psychology in implementing policy

Organizational culture

MGT514.4: Leadership and Management Competencies

Overview

This course section will teach the critical skills you need to lead, motivate, and inspire your teams to achieve your organization's goals. By establishing a minimum standard for the knowledge, skills, and abilities required to develop leadership, you will understand how to motivate employees, and how to develop from a manager into a leader.

CPE/CMU Credits: 6

Topics

Leadership Building Blocks

Creating and Developing Teams

Coaching and Mentoring

Customer Service Focus

Conflict Resolution

Effective Communication

Leading through Change

Relationship Building

Motivation and Self-direction

Teamwork

Leadership Development

MGT514.5: Strategic Planning Workshop

Overview

Using case studies, students will work through real-world scenarios by applying the skills and knowledge learned throughout the course. The case studies are taken directly from Harvard Business School, which pioneered the case study method. The case studies focus specifically on information security management and leadership competencies.

The Strategic Planning Workshop serves as a capstone exercise for the course, enabling students to synthesize and apply concepts, management tools, and methodologies learned in class.

CPE/CMU Credits: 6

Topics

Case study topics include:

Creating a Security Plan for the CEO

Understanding Business Priorities

Enabling Business Innovation

Working with BYODs

Effective Communication

Stakeholder Management

Additional Information

Laptop Not Required

Laptop Not Required

A laptop is not required for this course. Pencil and paper are sufficient for the in-class exercises and discussions.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

CISOs

Information Security Officers

Security Directors

Security Managers

Aspiring Security Leaders

Other Security Personnel Who Have Team Lead or Management Responsibilities

Prerequisites

A strong desire to grow as a leader

A strong desire to develop strategic plans that resonate with IT and other business leaders

Willingness to participate in group exercises and team discussions

What You Will Receive

In this course, you will receive the following:

MP3 audio files of the complete course lecture

You Will Be Able To

Develop security strategic plans that incorporate business and organizational drivers

Develop and assess information security policy

Use management and leadership techniques to motivate and inspire your teams

Press & Reviews

"I have been in I.T. 25 years. This is what I should have began with!" - Brian Bounds - Tx Biomedical

"I moved into management a few years ago and am currently working on a new security strategy/roadmap and this class just condensed the past two months of my life into a one week course and I still learned a lot!" - Travis Evans, SiriusXM

Author Statement

This is the course I wish I had taken when I first started my career. Colleagues, it doesn't make sense to wait till you are in a management position to focus on your governance, management, and leadership skills. If one can improve by one or two percent each year, it is a major achievement. Leadership is a race of endurance, not a sprint; start early and be persistent. This course will set you on the path. It is a solid blend of tons of research as well as personal experience from a number of leaders in information security. I had read about SWOTs for years, but was shocked by how difficult it was to create a strategic plan and get it approved. Some executives or auditors would say it doesn't look out far enough, others would say it isn't realistic to look out so far, some would say you are too bold, others you are too tame. One strategic plan I did the heavy lift on went through 18 revisions and still had only mixed approval. I was reading everything I could on planning and looking at published plans, and finally I saw the key - "plan the plan." It is the same basic notion as "plan the dive, dive the plan." Since senior management generally signs off on policy, you want to write balanced, defendable policy that gets approved the first time. The goal of both the planning and policy sections is simple: to give you the tools to create repeatable, successful products. The final section will help you build management and leadership skills to enhance the organization's climate as well as team-building skills to support the organization's mission and its growth in productivity.